Edgewall Software

Extension Point : IPermissionStore


The active IPermissionStore implementation stores the permissions and group memberships explicitly granted to users and groups.


The TracPermissions system supports granting and revoking of action permissions and of hierarchical groups that bundle and inherit permissions per user. The IPermissionStore interface can be used to replace the storage mechanism for these granted permissions.

Note that to implicitly grant additional permissions to certain users automatically, it is not necessary to implement (or wrap) IPermissionStore. Implement IPermissionGroupProvider instead.


Implementing the interface follows the standard guidelines found in TracDev/ComponentArchitecture and of course TracDev/PluginDevelopment.

Only the permission_store configured in trac.ini will be used. The configured implementation will be called by the permissions system to grant, revoke and query permissions. This information is automatically cached and reused for some time.


Due to the complexity of implementing a full permission store backend, no simple example can be provided here.

Available Implementations

In Trac:

DefaultPermissionStore Stores permissions and admin defined permission groups in the project environment's SQL database.

In third-party plugins:

th:LdapPlugin LdapPermissionStore uses LDAP directory as the permission store backend.
th:ActiveDirectoryAuthPlugin UserExtensiblePermissionStore extends DefaultPermissionStore adding an extension point, implemented to provide TRAC_ADMIN for members of a certain Active Directory group.
th:TracForgePlugin TracForgePermissionStore extends DefaultPermissionStore for multi project permissions.
th:SuperUserPlugin Wraps another (Default)PermissionStore to automatically give some users TRAC_ADMIN privileges.

Additional Information and References

Last modified 5 years ago Last modified on Sep 24, 2017, 2:35:47 PM
Note: See TracWiki for help on using the wiki.